Network automation of BIG-IP F5 using Ansible Tower

Ansible adoption at Lockheed MartinRaj GaneshanInfrastructure architect – Lockheed-Martin Enterprise IT

My automation story

1. How did you get started with Ansible?I am an Infrastructure Architect at Lockheed Martin. I got started with Ansible

to provision Infrastructure (Compute, Storage, Network, SSL/TLS Certificates, Containers etc.)

2. How long have you been using it?3 years

3. What's your favorite thing to do when you Ansible?BIG-IP F5 automation, Infrastructure-as-Code

Agenda

• Why automate network Infrastructure ?• Infrastructure-as-Code (IaC) defined• Ansible adoption at Lockheed Martin• BIG-IP F5 - Ansible modules, AS3, DO, Jinja2 templates• Ansible Tower concepts and workflows• Simple Gitlabs lifecycle• Deep dive - IaC with Gitlabs, Ansible Tower and BIG-IP F5• The Ansible approach to network automation• Ansible with 2FA/MFA

Why automate ?

There are really 3 main reasons

• Speed – Spin up an entire infrastructure architecture by running a script/playbook• Consistency – Standardize setup of infrastructure to reduce errors and deviations• Efficiency – All code and version control processes can be applied to infrastructure

Enablers

• Virtualization and Cloud computing• Software-defined-everything (Compute, storage, networking, security etc.) a.k.a.

Infrastructure-as-Code

IaC defined

Managing and provisioning computer data centers through machine-readable definition files

Commit Trigger

Build System

Deployment API

Compute

Storage

Network

Security

Repository

Automation ToolsManaged Infrastructure

Before there was an IaC process …

Difficult to have a repeatable process with varying interfaces

iControlREST example to create an application pool –

curl -k -u <user:password> -H "Content-Type: application/json" -X POST -d '{"name":“some-pool","members":[ \{"name":"10.10.0.64:80","description":"first member"} ] }' https://10.10.0.1/mgmt/tm/ltm/pool

CISCO API example –

curl -v -X POST https://10.10.0.64/api/v1/auth/token-services -H "Accept:application/json" -u “user:password" -d "" --insecure -3

Use token to do something –curl -v -H "Accept:application/json" -H "X-Auth-Token: <token>" -H "content-type: application/json" -X POST https://10.10.0.64/api/v1/nat-svc/pool -d '{"nat-pool-id": "test4-nat-pool", "start-ip-address": “10.10.0.1", "end-ip-address": "10.10.0.63", "prefix-length": 32}' --insecure -3

Documentation - https://clouddocs.f5.com/api/

Ansible adoption at Lockheed Martin

• Ansible is the foundation of our IaC approach

• Ansible is being used for provisioning and configuring infrastructure (compute, storage, network, security) for on-prem environments, public cloud, and hybrid cloud environments

• Ansible Tower is being used for managing orgs, users, templates, workflows etc. and is an important part of the automation tool-chain

• We are using RedHat provided training and complimenting it with internal training

• Ansible engine and Ansible Tower software is licensed through RedHat

BIG-IP F5

Application traffic routing and management• Load balancing• HTTP/HTTPS• Health monitors

Secures applications using SSL/TLS• SSL termination and pass-thru• Different ciphers and algorithms

Monitoring, analytics and metrics

Automation• API• Application Services 3 Extension (AS3)• Declarative onboarding (DO)

Integration• Ansible templates and modules

Ansible modules for BIG-IP F5

• Automating initial configuration on the BIG-IP

• Automation to network the BIG-IP (VLANS, Self-Ips)

• Automated deployment of HTTP and HTTPS applications

• Managing Virtual-Servers, Pools, Monitors and other configuration objects

• Documentation –https://clouddocs.f5.com/products/orchestration/ansible/devel/#https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html#f5

• Open source –https://github.com/F5Networks/f5-ansible

BIG-IP Application Services 3 (AS3) Extension

• Declarative model for managing BIG-IP configuration• Defined by a JSON schema• Layer 4-7 application and security services• Atomic and idempotent• BIG-IP version 12.1.x or higher

• POST to https://<BIG-IP>:<port>/mgmt/shared/appsvcs/declare

• Documentation –https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/

BIG-IP Declarative Onboarding (DO)

• A declarative model to initially configure a BIG-IP device

• BIG-IP version 13.1.0 or higher

• Layer 1-3 configuration

• POST and GET to https://<BIG-IP>:<port>/mgmt/shared/declarative-onboarding

• Documentationhttps://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/

Ansible approach – Imperative vs. Declarative

• Declarative (Functional) – WhatYou define the desired state and the system

executes what needs to happen

• Imperative (Procedural) - HowYou defines specific commands to be

executed in the appropriate order to reach the desired state

• Intelligent (Environment aware) - WhySystem determines the desired state before it

executes what needs to happen to achieve the desired state

• Ansible uses a push-type, declarative and imperative approach.

Declarative

IntelligentImperative

Jinja2 templates for network configuration

- Jinja2 templates used for templating a file to a remote device- Write the contents of a file to a remote location

Jinja2 templates for network configuration

Global YAML vars

Local YAML vars

Jinja2 Templates Configs

Ansible

Ansible Tower

• Ansible Tower is the easy-to-use UI, dashboard, and REST API for Ansible• Role-based access control – Teams, users in various roles, integration with

LDAP/AD• Job and workflow templates for automation, workflows and much more ! • Job scheduling - schedule your jobs and set repetition options• Fully documented REST API

• User guide –https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html

Ansible Tower – Workflow Templates

• A combination of job templates, project syncs, and inventory syncs linked together to execute them as a single unit.

• Extra vars and prompt-on-launch –Overrides other vars specified elsewhereProvide an inventory or extra variables when workflow template is launched

• Assign Permissions• Create Notifications• Create Schedules• Create Surveys (Dialogs)• Use Workflow Visualizer to build a workflow• Launch the template

Ansible Tower – End to end flow

Commit Trigger

Repository Change control approval

Approval

Template automation

SCM update

Modules

Pull

API CallDeveloper/Engineer

End usersSelf-service portal

Validation/Integration

Self-service

Validation/Integration

Developers/Engineers

Ansible Tower

status_code

- Declarative onboarding used to initially configure a BIG-IP device (Layer 1-3)- AS3 used for applications and security (Layer 4-7)

Simple Gitlabs lifecycle

• Clone the repo to get a working copy• Modify working copy by editing/adding files• Fetch changes made by other developers• To see commits added to the upstream master –

git log --oneline master..origin/master

• Merge the commits into your local mastergit checkout mastergit merge origin/master

• Commit your changes• Push to master

Deep dive notional architecture

• Multi-AZ deployment for HA and DR with network load-balancer

• Public and private subnets for network isolation and security

• Security groups for ingress/egress rules

• BIG-IP and computes in private subnet

Deep dive environment

• EC2 instances with NICs and elastic IPs

• Security group with ingress/egress rules

• A role for the BIG-IP EC2 instance

https://github.com/ansible/workshops/tree/master/exercises/ansible_f5/3.0-as3-introhttps://github.com/f5devcentral/f5-big-iq-labhttps://github.com/rajganeshan/ansiblefest2019

Section Break

AWS Marketplace

https://aws.amazon.com/marketplace/

Ansible network modules

• Automate repetitive tasks

• Configure, test and validate network state

• Separate data model from the execution layer (Ansible engine)

• Simple, agentless automation

• Can communicate over SSH or HTTPS

• Documentation –https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html

Ansible modules – Local vs. Remote execution

Local vs. remote execution

Ansible network modules – Local execution

• Network devices do not typically have Python installed on them• So, Ansible can not execute tasks directly on the host• As a work around Ansible uses itself as a proxy for the tasks to be executed against• Tasks are eventually executed on the remote network device by calling the REST API

Inventory Playbook ANSIBLE ENGINE

API

A list of hosts

A file describing actions to take

Executes playbook for each host in the inventory

Git concepts

• Git repo – A virtual storage to save versions of your code• Tags - A meaningful name for a version. Tags are immutable and meant for product releases• Branches – A line of development created to work on a new feature. When completed it is

merged back with the master branch• HEAD – A pointer that always points to the latest commit in the branch. HEAD is updated with

the latest commit

Gitflow lifecycle

• A strict branching model designed around project releases- Dev and Master branches

- Master stores official release history (with tags) and Dev used for integrating features

• Feature branches- Use Dev as their parent branch- When complete gets merged back into Dev

• Release branches- Forked off Dev and meant for a release candidate- No feature branches till it is merged into Master and back into

Dev

MFA/2FA for BIG-IP F5

Remote user account management –

• BIG-IP system requires one or more administrative user accounts

• Store BIG-IP user accounts on a remote authentication server (not locally)- LDAP - Active Directory- RADIUS - TACACS+

• Remote server performs all authentication of user accounts

• Configure BIG-IP system to use the remote server to authenticate system accounts

• Documentation –https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html